Use SSL with CloudFlare

End-to-end HTTPS with Cloudflare

The SSL section of the Cloudflare SSL/TLS app contains several options that determine whether Cloudflare securely connects to your origin web server. This article discusses how to configure your SSL/TLS settings in Cloudflare in a way that will not interfere with your CloudStick setup.

The SSL section of the Cloudflare SSL/TLS app contains several options that determine whether Cloudflare securely connects to your origin web server.

Available options are

  • Off
  • Flexible
  • Full
  • Full (strict)
  • Strict (SSL-Only Origin Pull)

If you don’t have an SSL certificate with CloudStick

If you haven’t deployed an SSL certificate for your web application from the CloudStick dashboard then you can use the following 2 SSL options in Cloudflare.

1.Off

  • Off disables secure HTTPS connections between both visitors and Cloudflare and between Cloudflare and your origin web server.
  • Visitors can only view your website over HTTP.
  • Any connections attempted via HTTPS result in an HTTP 301 redirect to unencrypted HTTP.

2. Flexible

  • Allows a secure HTTPS connection between your visitor and Cloudflare but forces Cloudflare to connect to your origin web server over unencrypted HTTP.
  • An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.

If you do have an SSL certificate with CloudStick

If you have deployed an SSL certificate for your web application from the CloudStick dashboard then you can use the following SSL options in Cloudflare.

1.Full (strict)

  • Ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server.
  • Full (strict) support SSL hostname validation against CNAME targets.
  • Full(strict) SSL option checks for SSL certificate validity at the origin web server.

Full (Strict) SSL/TLS option is highly recommended by CloudStick with HSTS(both http and htttps) enabled.

2. Full

  • Full ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.
  • The Full SSL option does not validate SSL certificate authenticity at the origin. A self-signed certificate is allowed at the origin web server.

To avoid 525 errors, before enabling the Full SSL option, configure web applications SSL settings to allow both HTTP and HTTPS traffic.

3. Strict (SSL-Only Origin Pull)

  • ​Strict (SSL-Only Origin Pull) is only available for Enterprise zones.
  • Always connect to your origin web server using SSL/TLS encryption (HTTPS).
  • Optionally allows redirecting HTTP requests to HTTPS, when HTTP is requested.